We run a closed policy inbound firewall, and all non-IT run services
must be registered before they're allowed an open port. The registering
department is responsible for all security patches and problems, and
must provide a 24/7 contact number for the administrator, as well as 2
backup numbers. They must also register the type of data being held so
we know what's potentially lost in an incident. We also try to offer
them our physically secure server room, UPS and Generator power backup
and nightly data backups to 'sway' them to let us host it. This has
deterred most departments from wanting to host their own services, but a
few still insist.
It hasn't been much headache at all. In fact, its been easier because
we know exactly what internet facing services we have and can disable
the port or on the firewall or physical ethernet port quickly if
necessary.
-Tim
-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Jordan Wiens
Sent: Monday, July 24, 2006 5:47 PM
To: UNIversity Security Operations Group
Subject: [unisog] registering servers
We've got a policy of blocking outbound port 25 and requiring mail
servers to be registered. This has saved us a lot of headaches over the
past few years and we're looking at what other Universities have done in
regards to registering other services besides just outbound mail.
Can those who have experience with registering some or all of the
services on their campus before allowing access comment to me (either
off or on list) and I'll report with a summary of the results?
I'm specifically interested in how much work it was to implement,
whether you have stuck with the initial design, unforeseen problems,
whether the benefits outweigh the cost, etc.
--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061
_______________________________________________
unisog mailing list
unisog at lists.sans.orghttp://www.dshield.org/mailman/listinfo/unisog